The expose_php setting is an option, something each admin can make their own mind upon. Some will prefer not to waste bandwidth and tell the world what they are running, while others prefer to advertise PHP. Either approach is fine, but from security perspective you want to tell a potential attacker as little information as possible.
> I don't think it would reduce the number of attacks turning the > version information off. But it would be more cumbersome to help > people with php issues as the php version is not directly available. This is simply not true, when a bug comes in we ask the user to specify the version, we don't go looking for their server and checking their version. Old versions of PHP have security holes, a directed attack against only the vulnerable servers would be much harder to spot and take far fewer resources to execute. Ilia -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php